Microsoft Defender for Endpoint auditing capabilities
Important correction [must read]
At the time of creating the video looked over the fact that cloudappevents are available in the security.microsoft portal and that you can sync those using the Microsoft XDR connector.
This means that what I say at 12:39 is not true and there is a way to get these logs into Sentinel easily.
Using advanced hunting in security.microsoft.com portal we can query the CloudAppEvents. Those are the simular logs i showed in chapter 09:05 Accessing the audit logs – audit logs in MDCA activity logs
CloudAppEvents
| extend data = parse_json(RawEventData)
| where data.Workload == "MicrosoftDefenderForEndpoint"
Getting these logs into sentinel
You can get the logs into Sentinel using the Microsoft XDR connector where you can choose to sync the CloudAppEvents. Be aware that these logs will cost allot as these is a log that generates large amount of data.
One thought on “Microsoft Defender for Endpoint auditing capabilities”